Monitor for Console Sign In Without Multi-factor Authentication (MFA)
This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when a console sign in is made without multi-factor authentication.
Create a Metric Filter
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
In the navigation pane, choose Logs.
In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.
Choose Create Metric Filter.
On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:
Note
For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.
Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ConsoleSignInWithoutMfa
Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.
In the Metric Name field, enter ConsoleSignInWithoutMfaCount.
Choose Metric Value, and then type 1.
Note
If Metric Value does not appear, choose Show advanced metric settings first.
When you are finished, choose Create Filter.
Example: Create an Alarm
These steps are a continuation of the previous steps for creating a metric filter.
On the Filters for
Log_Group_Name
page, next to the filter name, choose Create Alarm.When you are finished, choose Create Alarm.
Last updated